2/03/2010 @ 1:45PM

Cisco's Backdoor For Hackers

Activists have long grumbled about the privacy implications of the legal “backdoors” that networking companies like
Cisco
build into their equipment–functions that let law enforcement quietly track the Internet activities of criminal suspects. Now an
IBM
researcher has revealed a more serious problem with those backdoors: They don’t have particularly strong locks, and consumers are at risk.

In a presentation at the Black Hat security conference Wednesday,
IBM
Internet Security Systems researcher Tom Cross unveiled research on how easily the “lawful intercept” function in
Cisco’s
IOS operating system can be exploited by cybercriminals or cyberspies to pull data out of the routers belonging to an Internet service provider (ISP) and watch innocent victims’ online behavior.

“We need to balance privacy interests with the state’s interest in monitoring suspected criminals,” says Cross. “There’s long been a political debate about where that balance should be. But there are also these serious underlying technical problems.”

Cross revealed a collection of security weaknesses in Cisco’s architecture that he says add up to a lawful intercept system that could be easily hijacked by a skilled cybercriminal. When hackers try to gain access to a Cisco router, the system doesn’t block them after failed password-guessing attempts and it doesn’t alert an administrator. Many Cisco routers are still vulnerable, he said, to a bug that was publicized in June 2008, since some administrators haven’t implemented the patch that Cisco later released. And once data has been collected using the lawful intercept, it can be sent to any destination, not merely to an authorized user.

Each [bug] isn’t a big deal, but when you add them all together the situation is fairly bleak,” Cross told the Black Hat audience.

In an interview with Forbes following his talk, Cross expressed the most concern over an ISP’s inability to audit whether someone had used the function. That invisibility, he said, was intended to hide the technique from ISP employees who might detect the intercept and alert the suspect under surveillance.

But the result, Cross says, is that any credentialed employee can implement the intercept to watch users, and the ISP has no method of tracking those privacy violations. “An insider who knows the password can use it without an audit trail and send the data to anywhere on the Internet,” Cross says.

Cross told Cisco about his findings in December 2008, but with the exception of the patch Cisco released following the revelation of its router bug in 2008, the security flaws he discussed haven’t been fixed. In an interview following Cross’ talk, Cisco spokeswoman Jennifer Greeson said that the company is “confident in its framework.” “We recognize that security is complicated,” she said. “We’re looking at [Cross'] findings and we’ll take them into account.”

Cisco isn’t actually the primary target of Cross’ critique. He points out that all networking companies are legally required to build lawful intercepts into their equipment.

Cisco, in fact, is the only networking company that follows the recommendations of the Internet Engineering Task Force standards body and makes its lawful intercept architecture public, exposing it to peer review and security scrutiny. The other companies keep theirs in the dark, and they likely suffer from the same security flaws or worse. “Cisco did the right thing by publishing this,” says Cross. “Although I found some weaknesses, at least we know what they are and how to mitigate them.”

The exploitation of lawful intercept is more than theoretical. Security and privacy guru Bruce Schneier wrote last month that the
Google
hackings in China were enabled by Google’s procedures for sharing information with U.S. law enforcement officials. And in 2004 and 2005, a group of hackers used intercept vulnerabilities in
Ericsson
network switches to spy on a wide range of political targets including the cellphone of Greece’s prime minister.

All of that, argues IBM’s Cross, means that Internet-related companies need to be more transparent about their lawful intercept procedures or risk exposing all of their users. “There are a lot of other technology companies out there that haven’t published their architecture, so they can’t be audited,” he said in his Black Hat talk. “We can’t be sure of their security as a result.”